migrating your lan to ieee 802 - core it...

Migrating Your LAN to IEEE 802.1X

Gaweł Mikołajczyk [email protected] Consulting Systems Engineer, Emerging Markets East CCIE #24987, CISSP-ISSAP

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 2

Session Objectives

• How 802.1X works

• The benefits of deploying 802.1X

• How to configure and deploy 802.1X using Cisco switches, ACS 5.1 and various supplicants.

• How to integrate existing technologies such as IP telephony, guest access, PXE, etc

• The value and application of deployment scenarios

• How to make this work when you get back to your lab

At the end of the session, you should understand:

• Provide us with feedback!

You should also:

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 3

Identity and Authentication Overview


Who are you?

802.1X (or supplementary method) authenticates the user

Why Identity Is Important

1

What service level to you receive?

The user can be given per-user services (ACLs today, more to come)

3

What are you doing?

The user‘s identity and location can be used for tracking and accounting

4

Where can you go?

Based on authentication, user is placed in correct VLAN

2

Keep the Outsiders Out

Keep the Insiders Honest

Personalize the Network

Increase Network Visibility


IEEE 802.1X: The Foundation of Identity

Supplicant (802.1X Client)

AuthenticationServer

RADIUS

Authenticator (e.g. Switch,

Access Point)

EAP over LAN

(EAPoL) RADIUS

IEEE 802.1 working group standard

Provides port-based access control using authentication

Defines encapsulation for

Extensible Authentication

Protocol (EAP) over IEEE

802 media— ―EAPoL‖

Enforcement via MAC-

based filtering and port-

state monitoring


Default Port State without 802.1X

No visibility

No Access Control

No Authentication Required

?

USER

?


Default Security with 802.1X

No visibility (yet)

Strict Access Control

interface fastEthernet 3/48

authentication port-control auto

dot1x pae authenticator

ALL traffic except EAPoL is dropped

One Physical Port ->Two Virtual ports

Uncontrolled port (EAPoL only)

Controlled port (everything else)

Before Authentication

?

USER

?


Default Security with 802.1X

User/Device is Known

Identity-based Access Control • Single MAC per port

After Authentication

Looks the same as without 802.1X

Authenticated User: Sally




Having read your mind Sally, that is true, unless you apply an authorization, access is wide open. We can restrict access via dynamic VLAN

assignment or downloadable ACLs

?

Authenticated Machine: XP-ssales-45


Identity and Authentication 802.1X, EAP, and RADIUS


A Closer Look at 802.1X

SSC

EAP ID-Request

EAP ID-Response RADIUS Access-Request

[AVP: EAP-Response: Alice]

RADIUS Access-Challenge

[AVP: EAP-Request PEAP]

Supplicant Authenticator

Authentication Server

Layer 2 Point-to-Point Layer 3 Link

RADIUS Access-Request

[AVP: EAP-Response: PEAP]

RADIUS Access-Accept

[AVP: EAP Success]

[AVP: VLAN 10, dACL-nnn]

EAP-Request:PEAP

EAP-Response: PEAP

EAP Success

EAPoL Start

Multiple

Challenge-

Request

Exchanges

Possible

Port Unauthorized

Port Authorized

Port Unauthorized

EAPoL Logoff


What Does EAP Do?

Establishes and manages connection

Allows authentication by encapsulating various types of authentication exchanges

• Actual authentication exchanges are called EAP Methods

Provides a flexible link layer security framework

• Can run over any link layer (PPP, 802, etc.)

Defined by RFC 3748

802.1X Header

Ethernet Header

EAP Payload RADIUS

IP Header

UDP

EAP Payload

Supplicant

AuthenticationServer

RADIUS

Authenticator


EAP Authentication Methods

• MD5: uses MD5 based challenge-response for authentication

• LEAP: username/password authentication

• EAP-MSCHAPv2: username/password MSCHAPv2 challenge-response authentication

Challenge-response-based

• EAP-TLS: x.509 v3 PKI certificates and the TLS mechanism for authentication

Cryptographic-based

• PEAP: encapsulates other EAP types in an encrypted tunnel

• EAP-TTLS: encapsulates other EAP types in an encrypted tunnel

• EAP-FAST: designed to not require client certificates

Tunneling methods

• EAP-GTC: generic token and OTP authentication

• EAP-SIM : SIM-based authentication Other


Tunneling Methods

Some EAP methods setup an encrypted tunnel and pass credentials through the tunnel

Anonymous outer identity - Provides the ability to completely obfuscate the user‘s credentials

SSC / ACS – Yes

Windows Native / IAS - No

Some EAP methods require an EAP method inside the tunnel (PEAP and FAST)

Some EAP methods do not require an EAP method inside the tunnel (TTLS) – used with legacy RADIUS


EAP Protocols: Feature Support

EAP-TLS PEAP EAP-FAST

Single Sign-on Yes Yes Yes

Login Scripts (Active Directory) Yes Yes Yes

Password Expiration (AD) N/A Yes Yes

Client and OS Availability SSC, XP, Win7

and Others SSC, XP, Win7

and Others SSC, Win7 and

Others

MS DB Support Yes Yes Yes

LDAP DB Support Yes Yes Yes

OTP Support No Yes Yes

Off-line Dictionary Attacks No No No

Server Certificates Required Yes Yes No

Client Certificates Required Yes No No

Computing Impact High Medium Low


Factors that Drive EAP Method

• Certificate Authority deployment may drive EAP type

• Two factor authentication may require EAP-TLS

• Security vs. Convenience Trade-offs

Enterprise security policy

• Windows supports EAP-TLS, PEAP w/EAP-MSCHAPv2, PEAP w/EAP-TLS

• 3rd party supplicants support a large variety of EAP types, but not all

Client support

• RADIUS servers support a large variety of EAP types, but not all

Authentication server support

• PEAP w/EAP-MSCHAPv2 can only be used with authentication stores that store passwords in MSCHAPv2 format

• Not every identity store supports all the EAP types

Identity store

Use as many methods as needed depending on devices


Identity & Authentication: Who (or What) Authenticates?


Problem Statement

Who should the network authenticate ?

A user using a device

A device

Both the user and the device

Device boot process and network connectivity assumption

Boot without using network resource - Standalone

Boot from the network – Xterm, NetPC, PXE

Boot and use network resources – networked

Network File System

Managed devices : Connection to LDAP, Active Directory

Device health check : Patch level checker, Central AV system


Example: Network Assumption Microsoft Windows

Power On

Kernel Loading Windows HAL Loading Device Driver Loading

Obtain Network Address (Static, DHCP)

Determine Site and DC (DNS, LDAP)

Establish Secure Channel to AD

(LDAP, SMB)

Kerberos Authentication (Machine Account)

Computer GPOs Loading (Async)

GPO based Startup Script Execution

Certificate Auto Enrollment Time Synchronization Dynamic DNS Update

GINA

Components that depend on network connectivity

Kerberos Auth (User Account)

User GPOs Loading (Async)

GPO based Logon Script Execution (SMB)

Inherent Assumption of Network Connectivity

Earliest Network Connectivity with User Auth Only

Components broken with 802.1X user authentication only


802.1X Device and User authentication

User authentication ONLY

Possible when no dependency of the device used regarding network resources

Can run user script to access network resources post login.

Be careful, this can breaks Microsoft group and system policies

Device authentication ONLY

Mandatory as soon as exist dependency of Network resources

Authorization is link to the device; not the user using the device

Device and User

Authorization is highly flexible

Advanced features needed on supplicants

Synchronization needed with others applications & process on the client PC : DHCP, DNS, NFS, etc..

Switches contexts when going from one to the other


MICROSOFT Windows Example User and Device Authentication

Power Up

Apply Computer GPOs

Apply Computer

GPOs

Network Connectivity

Point of 802.1X Authorization

User Authentication

Power Up

Load NDIS

Drivers DHCP

Setup Secure

Channel to DC

Update GPOs

Present GINA

Windows Domain

Auth

802.1X User Auth

* No Connectivity to Domain Controller Until User Logs In

Machine Authentication

Power Up

Load NDIS

drivers DHCP

Setup Secure

Channel to DC

Update GPOs

Present GINA

802.1X Machine

Auth

Windows Domain

Auth

* 802.1X Early in Boot Process

Load NDIS

Drivers DHCP

Setup Secure

Channel to DC

Update GPOs

Apply Computer

GPOs

Present GINA

802.1X Machine

Auth

User + Machine Authentication

Windows Domain

Auth

802.1X User Auth

DHCP

* Users Can Be Individually Authenticated

Apply Computer

GPOs


Configuring Machine and/or User Auth Microsoft Windows Example

Cisco SSC

Can be configured per profile

Centrally configured via Admin tool

Deployed via MSI

Mode is supplicant dependent

Native MS supplicants pre-Win7

Controlled by registry keys (SP2) or XML (SP3 & Vista) & network properties authentication tab

Can be set by GPO (Wireless only for XP, Wired and Wireless for Vista)

Win7 supplicants


Identity & Authentication: 802.1X Supplicants


802.1X Supplicants

Windows Win7— Yes

Windows Vista —Yes

Windows XP—Yes

Windows 2000—Yes

Windows CE / Mobile — Yes

Linux —Yes

HP-UX —Yes

Solaris —Yes

HP printers & switches —Yes

Apple OS X —Yes

Apple iPhone — Yes

Nokia —Yes

Cisco IP Phone —Yes

Cisco AP —Yes

Cisco Switches — Yes (12.2.50)

Windows HP Jet Direct

Solaris

7921

Apple

IP Phones

WLAN APs

Pocket PC


PC Supplicants Types

Operating System – MAC OS X, XP Wireless Zero Config, Vista Native, Win7 Native

Hardware Specific – Intel Proset, Lenovo Access Connections

Premium – Cisco Secure Services Client, Juniper Odyssey

Open Source –

Xsupplicant (Open 1X) – http://open1x.sourceforge.net/

WPA supplicant - http://hostap.epitest.fi/wpa_supplicant/

Secure W2 - http://www.securew2.com/

http://open1x.sourceforge.net/

http://hostap.epitest.fi/wpa_supplicant/

http://www.securew2.com/


Xsupplicant

Open Source

No additional up-front cost

Username / Password

Manual Connect

User Authentication

Server Validation

Wired & wireless

PEAP, TTLS, FAST, and MD5

Application –

Simple Authentication

No outside support required


WPA Supplicant

Open Source

Linux, BSD, Mac OS X, and Windows

No additional up-front cost

Wired & wireless

EAP-TLS EAP-PEAP/MSCHAPv2-TLS–GTC-OTP-MD5 EAP-TTLS/MD5-GTC-OTP-MSCHAPV2-TLS-PAP-CHAP EAP-SIM EAP-AKA EAP-PSK EAP-FAST EAP-PAX EAP-SAKE EAP-IKEv2 EAP-GPSK (experimental) LEAP


Secure W2

Open Source

Windows suite with Windows Mobile 5/6 or Pocket PC 2003/2005 support and 2000/XP/Vista

Support available

Wired & wireless

Plug-in in existing Microsoft 802.1X/EAP(EapHost)

Support of EAP-TTLS and EAP-GTC


Microsoft Native Supplicant: XP SP2

Integral to operating system

nothing to deploy except configuration

No additional cost, licensed as part of OS

Same service controls wireless and wired 802.1X

Wireless Zero Config (WZC)

Integrated machine and user profile

Registry changes required for proper operation of wired 802.1X

EAP Types – PEAP/MSCHAPv2, PEAP/TLS, TLS, MD5


Vista & XP SP3 Native Supplicant




Separate services for wireless and wired 802.1X


Wired AutoConfig (DOT3SVC)

Machine & User Authentication

PEAP-MSCHAPv2,PEAP-TLS, EAP-TLS

Recommendations

Use NDIS 6 NIC drivers

Vista SP1

Auth Fail Hot-Fix:

http://support.microsoft.com/default.aspx?scid=kb;en-us;957931&sd=rss&spid=11712


Windows 7 Native




Separate services for wireless and wired 802.1X


Wired AutoConfig (DOT3SVC)


PEAP-MSCHAPv2,PEAP-TLS, EAP-TLS


Mac OSX - 10.6

Wired and wireless support

Username / Password, Certificates, & Tokens

Machine or User Authentication

Broad EAP type support

No up-front licensing cost

Apple supported

End-user focused


Intel Proset

Driver Intimacy

Adapter settings

Radio On / Off

No additional up-front costs

Username / Password, Soft Certificates, Smartcards, & Tokens

Broad EAP Type Support

Wireless Only

Supported by Intel

Requires Intel NIC


Cisco Secure Services Client

Wired and wireless support

Username / Password, Soft Certificates, Smartcards, & Tokens


Broad EAP type support

Up-front licensing cost

Cisco supported

End-user focused

Applications –

Enterprise environments


Identity & Authentication Non-802.1X Capable Devices & Users


Default Security: Consequences

Default 802.1X Challenge

Devices w/out supplicants Can‘t send EAPoL

No EAPoL = No Access

Offline

No EAPoL / No Access




One Physical Port ->Two Virtual ports

Uncontrolled port (EAPoL only)

Controlled port (everything else)


MAC Authentication Bypass (MAB) for Non-802.1X Devices

MAC: 00.0a.95.7f.de.06

EAP-Identity-Request

Switch Fallbacks to MAB

Switchport is open for one packet to learn MAC

RADIUS-Access Request:

MAC: 00.0a.95.7f.de.06

RADIUS-Access Accept

Link up

1

4

EAP-Identity-Request 2

EAP-Identity-Request 3

5

6

7

No R

esp

on

se

802.1X times out

Switch Learns MAC


802.1X with MAB Deployment Considerations

MAB enables differentiated access control

MAB leverages centralized policy on AAA server

• Default timeout is 30 seconds with three retries (90 seconds total)

• 90 seconds > DHCP timeout.

Dependency on 802.1X timeout -> delayed network access

MAB requires a database of known MAC addresses

Guest VLAN

Printer VLAN

MAC Database

RADIUS LDAP ACS


Considerations: MAC Databases Method What is it? Advantages Problems Use Case

OUI

Wildcards

Use 3-Byte

Identifier

Easy to add

lots of devices

No granularity ‗Add all HP

printers‘

ACS Local

database with

Radius Server

Readily

available

No central

repository for all

IDs

‗Radius only‘

AD Central

Directory

Service

Central

repository

Should have

support for

[ieee802] object,

password

complexity

‗All in one‘

NAC

Profiler

Automatic

building of

MAC DB

Automated Need certain

methods to make it

reliably identify

devices

‗handle

unknown

devices‘

LDAP Central

directory

Standards

based

Manually populated

and maintained

‗leverage

existing db‘


DEMO Time

MAB


Switch

DHCP/DNS AAA Server

Web Authentication for non-802.1X User

―Flex Auth‖: Multiple Triggers

Single Port Config

•802.1X Timeout

•802.1X Failure

•MAB Failure 1

Port Enabled,

ACL Applied 2

Host Acquires IP Address, Triggers Session State 3

Host Opens Browser

Login Page

Host Sends Password

4

Switch Queries AAA Server

AAA Server Returns Policy

Server

authorizes

user 5

Switch Applies New ACL Policy 6


802.1X with Web-Auth Deployment Considerations

Web-Auth is only for users (not devices)

• browser required

• manual entry of username/password

Web-Auth can be a fallback from 802.1X or MAB.

Web-Auth and Guest VLAN* are mutually exclusive

Web-Auth supports ACL authorization only

Web-Auth behind an IP Phone requires Multi-

Domain Authentication* (MDA)

* To be discussed in later sections


DEMO Time

Web-Auth


Identity & Authentication Further Restrictions


Multiple MACs not allowed to ensure

validity of authenticated session

• VMWare, Phones, Hubs, Grat Arp…




VM

Default Security: More Consequences


Phase 0: Pre-Deployment


Fictional Company, publishing house.

Employees, free lancers, guests are using the corporate network infrastructure.

The same infrastructure is used for other devices as well.

‘One network to support them all.’

No access control in place as of today, everybody with physical access can connect.

The CIO decided to limit access. Only known devices must be allowed on the network

Introduction to ACME Corp.


IP Phone G/W

Managed asset

Finance dept.

12:00pm

Printer

Agentless asset

MAC: B2 CF 81 A4 02 D7

Laptop

Managed asset

Main Laboratory

11am

Security Camera G/W

Agentless asset

MAC: F5 AB 8B 65 00 D4

Rossi Barks

Employee

HR

Wireline

11am

Francois Didier

Consultant

HQ - Strategy

Remote Access

6pm

Bill Graves

Employee

R&D

Wireless

2pm

Frank Lee

Guest

Wireless

9am

Susan Kowalski

Employee

CEO

Remote Access

10pm

Sergei Balazov

Contractor

IT

Wireline

10am

Vicky Sanchez

Employee

Marketing

Wireline

3pm

GLOBAL WORK FORCE Employees, Contractors, Phones, Printers

SENSITIVE RESOURCES Network, Devices & Applications

MULTIPLE ACCESS METHODS From different devices, location & time

ALL NEED CONTROLLING

ACME’s Business Environment


ACME’s Goals

The Mission:

Prevent Anonymous / Unauthorized Access

Increase Network Visibility

Solution deployment should be transparent to end users

Employee end-user behavior should not change.

Legacy devices must not be locked out.

Best authentication method based on device capabilities should be chosen.


ACME’s Environment: Devices

PC devices are primarily running in a Microsoft Windows environment.

IP Telephony is Cisco, 50% are 802.1X ready and support EAP-TLS / certificate based authentication. No Certs deployed so far (MICs only).

Printers are not-802.1X capable, must be authenticated via their MAC address.

All sorts of other (legacy) devices from freelancers (Macs, Linux machines, …) and generic devices (e.g. building control).


ACME’s Environment: Network

ACME recently did a refresh on their access network.

Devices are up-to-date and are running latest available code.

Devices are configured according to L2 best practice (DHCP snooping, DAI, VLAN != VVLAN != Management VLAN).

For conference rooms, only corporate owned and authorized devices may be cascaded to provide additional ports (Extended Edge concept).


ACME’s Environment: Back-End

Windows 2008 Active Directory

Environment managed via AD Group Policy Objects (GPOs)

GPOs enabled centralized management & distribution of policy for users, computers and other objects in the directory.

Certificate Infrastructure is in place, Microsoft CA running on AD.

ACS 5.1 will be used to provide AAA services.


ACME’s Environment: Credentials

Corporate machines are registered with the Windows domain

Computers & Users log in with Name and Password to the domain

Additional authentication is enforced at the application layer

No authentication at all for all other devices


Considerations

What Authentication Method(s) should be used?

Which Operating Systems are to be supported?

Where are Credentials stored?

One Store vs. Many Stores

How to Build and Manage a MAC Database?


Considerations: Authentication Method

Method What’s required? Pros Cons

802.1X Supplicant

Credentials

Highest Security Supplicant may not be

available on every

platform

MAB MAC address

database

Works for all

devices

Weak, can be easily

snooped, DB needs to

be created and

maintained

Web-Auth Portal (on switches

or on dedicated

NGS)

No supplicant

needed, every

device w/

browser can be

used

Relies on initial

connectivity, VLAN / IP

address change after

authentication is

problematic


Further Considerations for 802.1X Authentication: EAP Methods

Method What’s required? Pros Cons

EAP-MD5 Username,

Password

Most devices with

802.1X support

do at least EAP-

MD5

Offline dictionary

attack, one-way

authentication

EAP-TLS Certificate

distribution

Most secure

method

Certificate cost,

distribution, renewal

PEAP Username,

Password

Readily available

in Windows

environments

Single factor

authentication

PEAP

Chosen by ACME for

operational efficiency


Considerations: Operating Systems


Considerations: Operating Systems

OS (corporate

asset)

Supplicant Methods

supported

Remark

Windows XP

and newer

Built-in or 3rd

party

MD5, TLS, PEAP No MD5 w/ Vista

and newer

Older Windows No support MAB or WebAuth

Apple Mac OS X Built-in TTLS, TLS, FAST,

PEAP, LEAP, MD5

802.1X-capable

Cisco phones

Built-in MD5, FAST, TLS

Other devices various various various

OS (non-

corporate asset)

Supplicant Methods

supported

Remark

All n/a MAB or WebAuth Guest Access


How?

Considerations: MAC Databases PCs Non-PCs

UPS Phone Printer AP

What to use?

OUI

Individual MAC address

Where to store?

Radius Server

Active Directory

LDAP

How to maintain?

Manually

(semi) Automatic

ACME’s Choice

Radius Server


CREDENTIAL STORE

EAP-TYPE

GUEST ACCESS

UNMANAGED DEVICES

ACME’s Starting Point


ACME Summary & Goal

Enforce admission control to wired network

Use central identity store, Active Directory

Control Plane is Radius

Provide coherent solution for all devices


Phase 1: Monitor Mode


ACME’s Goals : Phase 1

Gain visibility of what‘s currently on the network

Managed Assets

Agentless Assets

Unknown Devices

Validate components are functioning as expected

Identify non-functioning components and correct

Be Transparent to Users and Current Network

ACME‘s Goals Can Be Met With

Monitor Mode


Devices w/out supplicants

Can‘t send EAPoL No EAPoL = No Access

Offline

No EAPoL / No Access

interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator

One Physical Port ->Two Virtual ports Uncontrolled port (EAPoL only) Controlled port (everything else)

Default 802.1X Challenge



Open Access (No Restrictions)

interface fastEthernet 3/48 authentication port-control auto authentication open dot1x pae authenticator mab

Authentication Performed No Access Control

Changing the Default Authorization: ―Open Access‖


Assumed to Be Malicious

• Hubs, Gratuitous ARPs, VMWare

interface fastEthernet 3/48 authentication port-control auto dot1x pae authenticator

VM

Multiple MACs per Port



Each MAC authenticated

• 802.1X or MAB

Multiple MACs on Port

interface fastEthernet 3/48 authentication port-control auto authentication host-mode multi-auth authentication open dot1x pae authenticator mab

VM

Modifying the Default Security ―Multi-Auth‖


Enabling Monitor Mode – RADIUS Server

Configure PKI and Identity Servers

Create 802.1X & MAB Policies

- Every user in AD is

permitted

- Separate Rules can be

used for reporting


Roll out Root CA Cert to Managed Assets via GPO

Activate PEAP configuration for User authentication via GPO

Activate Wired Auth Service on Windows machines via GPO

Enabling Monitor Mode – Managed Assets

All managed assets should be provisioned before the switches are configured for access control


DEMO Time

Managing 802.1X Parameters with Active Directory GPOs


Phased Rollout

Deploy supplicant configuration components first

Configure RADIUS server second

Deploy switches third

Possibly start with one floor at a time

Validating via case load that monitor mode is working as expected

After successful floor rollouts expand to multiple floors or a building at a time


Monitor Mode: Monitoring


RADIUS accounting logs provide visibility: • Passed/Failed 802.1X/EAP attempts

• List of valid dot1x capable • List of non-dotx capable

• Passed/Failed MAB attempts • List of Valid MACs • List of Invalid or unknown MACs

TO DO Before implementing access control: •Confirm that all these should be on network •Install supplicants on X, Y, Z clients •Upgrade credentials on failed 802.1X clients •Update MAC database with failed MABs …

Monitor the network, see who‘s on, address future connectivity problems by installing supplicants and credentials, creating MAB database

Monitor Mode – Monitoring and Reporting


RADIUS Authentication

ACME authentications can be monitored

View Trends of Passed (should be high)

View Trends of Failures (should be low)

View Trends of Unknown MAC Addresses (should start high and lower as MAC Addresses are added to the database)


Active Monitoring

Network Visibility is not just about passed/failed authentications

The RADIUS server can have a session directory provided by RADIUS accounting.

This provides ACME with a view of all active sessions as the session enter and leave the network

This information can be used along with other security information for better incident response


802.1X with RADIUS Accounting

Supplicant 802.1X Process 1 Authenticate

2 Access-Accept

3 Accounting Request

RADIUS Process

2 EAPOL-Success

4 Accounting Response

PC Switch ACS


802.1X with RADIUS Accounting

Similar to other accounting and tracking mechanisms that already exist using RADIUS

Can now be done through 802.1X

Increases network session awareness

Provide information into a management infrastructure about who logs in, session duration, support basic billing usage reporting, etc.

Provides a means to map the information of authenticated

IOS

aaa accounting dot1x default start-stop group radius

Identity, Port, MAC, Switch

IP, Port, MAC, Switch

=

Switch + Port = Location

Identity IP


Simple Homegrown Tools

Switches logs all passed/failed sessions via syslog

RADIUS servers typically all log information in plain text

Relatively easy to run scripts against this information to create monitoring views

Scripts can create database of mac addresses seen from the network


Simple Homegrown Tools


Monitoring With ACS 5.1 Tip: Interactive Viewer Is Your Friend Launch It, Then Right Click Inside the Report for Customization Options

Detailed Reports Are Lifesavers


ACS 5.1 Details Report


Monitor Mode: Network Access Table

Endpoints Authentication Status

All (including PXE) Pre-Auth

Employees 802.1X Success

Corporate Asset MAB Success

Phones 802.1X or MAB Success

Employees 802.1X Fail -> MAB

Sponsored Guest 802.1X Fail/Timeout ->

MAB Fail

Unknown /

Unauthorized

802.1X Fail/Timeout ->

MAB Fail

All

None (AAA server down)

Authorization Implementation

Enterprise Access Open authentication



Voice Access Open authentication




Enterprise Access

Open authentication


Low Impact Mode


ACME’s Goals: Phase 2

Maintain Visibility

Control Access to Sensitive Assets

Preserve Network Access for Managed Assets

Special Case: PXE boot

Preserve Current Network Architecture

No changes to VLAN infrastructure

ACME‘s Goals Can Be Met With

Low Impact Mode


Access Control & Clientless Devices

• MAB depends on 802.1X timeout

• Many devices are time-sensitive

• DHCP is especially finicky

The Timing Problem With MAB

• Provide access to time-critical services before authentication

• Continue to restrict access to other services until after authentication

The Low Impact Solution

• DHCP, DNS, TFTP

• This is enough for PXE devices to boot before MAB completes

ACME‘s Time-Critical Services


Low Impact: Network Access Table






Employees 802.1X Fail -> MAB or

Web-Auth Success


MAB Fail -> Web-Auth

Success

Unknown /

Unauthorized



Fail

All



Limited Access

Enterprise Access

Enterprise Access

Voice Access

Enterprise Access

Limited + Internet

Access

Limited Access

Limited Access


Open Mode (Pinhole) On Specific TCP/UDP Ports Restrict to Specific Addresses

EAP Allowed (Controlled Port) Download general-access ACL upon

authentication

Block General Access Until Successful 802.1X, MAB

or WebAuth

Pinhole explicit tcp/udp ports to allow desired

access

interface GigabitE 3/13 authentication port-control auto authentication open ip access-group PREAUTH in

Low Impact Implementation Limited (―Selectively Open‖) Access


dACLs Open Port After Authentication

Configure downloadable ACLs (dACL) for authenticated users

permit ip host 10.100.20.200 any permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp

SSC

PREAUTH

ACL

Switch dynamically substitutes endpoint‘s address

• Contents of dACL are arbitrary.

• Can have as many unique dACLs are

there are user permission groups

• Same principles as pre-auth port ACL









Web-Auth Success



Success

Unknown /

Unauthorized



Fail

All



Limited Access Pre-Auth ACL

Enterprise Access Permit-Any dACL


Voice Access

Enterprise Access

Limited + Internet

Access

Limited Access

Pre-Auth ACL

Limited Access

Pre-Auth ACL


DEMO Time

PXE boot and Enterprise Access

pre-Auth ACL

dACL


Low Impact Mode: Flex Auth


Flexible Authentication: “Flex-Auth” One Configuration Fits Most

Configurable behavior after 802.1X timeout :

Configurable behavior after 802.1X failure:

Configurable order and priority of authentication methods

Configurable behavior before & after AAA server dies

Flex-Auth enables a single configuration for most use cases

1) Next-Method


802.1X Failure vs. 802.1X Timeout

An 802.1X failure occurs when the AAA server rejects the

request:

A timeout occurs when an endpoint can‘t speak 802.1X:

EAPoL Start

EAPoL Response Identity

EAPoL Request Identity

RADIUS Access Request

EAP Failure RADIUS Access Reject

SSC


EAP Who?


Default Behavior on 802.1X Timeout

After 802.1X times out, port automatically falls back to ―next-method‖ if another method is configured.

802.1X Timeout

802.1X

MAB

MAB fails

Web Auth

802.1X Timeout

802.1X

MAB

802.1X Timeout

802.1X

Web-Auth

802.1X & Web Auth 802.1X & MAB 802.1X, MAB, Web-Auth


Flex-Auth for 802.1X Failures Low Impact Mode






1) Next-Method 1) Next-Method


?

Default Security After 802.1X Failure

All traffic except EAPoL is dropped

Before Authentication

?

After 802.1X Failure

All traffic except EAPoL is dropped


Why Provide Access to Devices that Fail?

Employees‘ credentials expire or get entered incorrectly

As 802.1X becomes more prevalent, more guests will fail auth because they have 802.1X enabled by default.

Many enterprises require guests and failed corporate assets get conditional access to the network

802.1X Certificate Expired!

802.1X

User Unknown!


?


6506-2(config-if)#authentication event fail action next method

6506-2(config-if)#authentication order dot1x mab

User Authenticated via MAB

Access determined by MAB result

Supplicant expected to ―fail open‖

Allow single packet

to learn MAC

MAC

Failed Auth with Flex-auth: Next-method


802.1X Failure with Next-Method

When port is configured to fail to next method, port falls back to ―next-method‖ in the following order.

802.1X Failure

802.1X

MAB

MAB fails

Web Auth

802.1X Failure

802.1X

MAB

802.1X Failure

802.1X

Web-Auth

802.1X & Web Auth 802.1X & MAB 802.1X, MAB, Web-Auth


Flex-Auth Order & Priority






1) Next-Method 1) Next-Method


Flex-Auth Sequencing

By default, the switch attempts most secure auth method first.

802.1X Timeout /

Fail

802.1X

MAB

MAB fails

Web Auth

Timeout can mean significant delay before MAB.

MAB fails

MAB

802.1X

802.1X Timeout

Web Auth

Alternative order does MAB on first packet from device

Default Order: 802.1X First Flex-Auth Order: MAB First


Flex-Auth Order with Flex-Auth Priority

Priority determines which method can preempt other methods.

By default, method sequence determines priority (first method has highest priority).

If MAB has priority, EAPoL-Starts will be ignored if MAB passes.

Default Priority: 802.1X ignored after successful MAB

MAB fails

MAB

802.1X

EAPoL-Start Received M

AB

p

asses Port

Authorized by MAB

Flex-Auth Priority: 802.1X starts despite successful MAB

802.1X


Low Impact Mode: Web Auth


What ACME Expects for Web Auth

Guest

Customizable

Login Page

Sponsored

Guest Credentials

Existing Credential Stores

Parity for

Wired / WLAN

Centralized Web

Page Management

Active Directory

NAC Guest Server

Employee

Flexible

Access Policies

ACS 5.1

Integrated Local Web Authentication

Centralized Accounting

802.1X/MAB

Compatibility


Introducing…Web-Auth’s New Best Friend

Multi-Function Standalone Appliance

Customizable Hotspot Hosting

Sponsored Guest Access Provisioning, Verification, Management

NAC Guest Server (NGS)

Product Bulletin: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_bulletin0900aecd806f3235.html Data Sheet: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806e98c9.html

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_bulletin0900aecd806f3235.html













http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806e98c9.html
















Basic Wired: Distributed Login Pages

Fixed Text

Text only ip admission auth-proxy-banner http ^C Here is what the auth-proxy-banner looks like ^C

Default (Auth-Proxy Banner)

Customized

4 files, 8KB max each

ip admission proxy http login expired page file bootflash:expired.html

ip admission proxy http login page file bootflash:login.html

ip admission proxy http success page file bootflash:success.html

ip admission proxy http failure page file bootflash:fail.html

Images must be embedded or external


Enhanced Web Auth – Centralized Login Page

1. Guest opens Web browser

2. Web traffic is intercepted by switch and redirected to Guest Server.

3. Guest Server returns centralized login page

1. 2.

4.

switch

Cisco NAC Guest Server

3.

New with NGS 2.0.2!


Web Authentication Can Be Used For Guests and/or Employees

Active Directory

RADIUS

Proxy

Guest

Employee

NAC Guest Server

• ACS can use RADIUS proxy to validate sponsored guest credentials on

NGS

• ACS can query other ID stores (like AD) to validate employee credentials

• ACS policy can assign different levels of access to Guest and Employee









Web-Auth Success



Success

Unknown /

Unauthorized



Fail

All






Voice Access

Enterprise Access

Permit-Any dACL

Limited + Internet

Access

Permit-Internet dACL

Limited Access

Pre-Auth ACL

Limited Access

Pre-Auth ACL


DEMO Time

Next-Method for 802.1X Timeout & Fail

Web-Auth


Low Impact Mode: IP Telephony


802.1X & IPT: A Special Case

Voice Ports

With Voice Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1X

An access port able to handle two VLANs

Native or Port VLAN Identifier (PVID) / Authenticated by 802.1X

Auxiliary or Voice VLAN Identifier (VVID) / ―Authenticated‖ by CDP

Hardware set to dot1q trunk

Tagged 802.1q

Untagged 802.3


IPT & 802.1X: Fundamental Challenges

113

MODE

STACKSPEEDDUPLXSTATMASTRRPSSYST

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Two devices per port 1

IPT Breaks the Point-to-Point Model

Security Violation PC Link State is Unknown to Switch 2

?????

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

―The operation of Port Access Control assumes that the Ports on which it operate offer a point-to-point connection between a single Supplicant and a single Authenticator. It is this assumption that allows the authentication decision to be made on a per-Port basis.‖

IEEE 802.1X rev 2004

One device per port 1

Link State Dependency 2


First Solution: CDP Bypass

Data VLAN

Voice VLAN

CDP

interface fastEthernet 3/48 switchport voice vlan 10 authentication port-control auto dot1x pae-authenticator

Benefits Deployment Considerations

Access to voice VLAN after phone sends CDP CDP-capable hackers get full access, too.

Default behavior: Cisco IP Phones get access

if voice VLAN configured

No visibility, No access control

Works for all Cisco phone models Incompatible with dynamic VVID,

downloadable ACLs (dACLs), PC Web Auth


Second Solution: Multi-Domain Authentication (MDA) Host Mode


authentication host-mode multi-domain

Single device per port Single device per domain per port

IEEE 802.1X MDA

• Phones and PCs use 802.1X or MAB

• MDA is a subset of Multi-Auth

Data Domain

Voice Domain


MDA with MAC Authentication Bypass (MAB)

00.18.ba.c7.bc.ee


Fallback to MAB

Learn MAC

RADIUS-Access

Request: 00.18.ba.c7.bc.ee

RADIUS-Access Accept

device-traffic-class=voice Voice VLAN Enabled

√

Link up



0:00 0:01 0:05 0:10 0:20 0:30

0:00 0:01 0:05 0:10 0:20 0:30

0:00 0:01 0:05 0:10 0:20 0:30

Timeout

Timeout

Timeout

No Response

No Response

No Response


No client, no credential needed -> Works

for all Cisco phone models

Dependency on AAA server

Enables visibility, access control Must create & maintain phone MAC database

Compatible with 802.1X features Default 802.1X timeout = 90 seconds latency

(mitigated by Low Impact Mode)


―Voice VSA‖


MDA with 802.1X


EAPoL Start

Authenticator AAA Server Supplicant


EAPoL Response Identity

EAP-Response: TLS


[AVP: EAP-Response: CP-79xx-xxxxxxxx

EAP-Request: TLS Client Hello

EAP Success

RADIUS Access-Accept

[AVP: device-traffic-class=voice]

[AVP: voice VLAN 10, dACL-n]

RADIUS Access-Challenge

[AVP: EAP-Response: TLS]


[AVP: EAP-Request: TLS Server Hello]

Actual

Exchanges

depend on EAP

Method (MD5,

TLS, FAST)


Strong Authentication with Minimal Delay Choice of EAP Method impacts deployability

Can be deployed without touching the phone

or creating a database.

Requires: 7970G, 79x1, 79x2, 79x5 with

X.509 cert support & firmware 8.5(2)

Compatible with 802.1X features AAA server dependency


MDA in Action

3750-1(config-if)#do sh dot1x int G1/0/5 details

<...>

Dot1x Authenticator Client List

-------------------------------

Domain = DATA

Supplicant = 0014.5e42.66df

Auth SM State = AUTHENTICATED

Auth BEND SM State = IDLE

Port Status = AUTHORIZED

Authentication Method = Dot1x

Authorized By = Authentication Server

Domain = VOICE

Supplicant = 0016.9dc3.08b8

Auth SM State = AUTHENTICATED

Auth BEND SM State = IDLE


Authentication Method = MAB

Authorized By = Authentication Server

Either 802.1X or MAB for phone

Any combination of 802.1X, MAB, Guest-VLAN, Auth-Fail-VLAN, IAB for PC

PC Authenticated

by 802.1X

Phone authenticated

by MAB


Summary: Multiple Hosts per Port

Host Mode Enforcement Deployment Considerations

Single Single mac address per port • Second mac address triggers a security violation • VMs on the host must share the same mac

address. • CDP Bypass is the only IPT solution.

Multi-Domain Auth (MDA)

One Voice Device + One Data Device per port

• Same as single host mode except phone authenticates

• Supports third party phones

Multi-Auth Superset of MDA with multiple Data Devices per port

• Authenticates every mac address in the data domain.

• VMs on the host may use different mac addresses.

• One VLAN (default port VLAN) for all devices on the port

Multi-Host One authenticated device allows any number of subsequent mac addresses.

• Not recommended • VMs on the host may use different mac

addresses. • CDP Bypass is the only IPT solution.







Phones

802.1X or MAB Success


Web-Auth Success



Success

Unknown /

Unauthorized



Fail

All






Voice Access MDA with Voice VSA +

Permit-Any dACL

Enterprise Access

Permit-Any dACL

Limited + Internet

Access

Permit-Internet dACL

Limited Access

Pre-Auth ACL

Limited Access

Pre-Auth ACL


Cisco IP-Phone 802.1X

Ph

on

e B

oo

ting



Ac

ce

ss

Via

the

Se

cu

rity

Se

tting

s M

en

u



80

2.1

X O

ff by

De

fau

lt



Se

t EA

P-M

D5

Pa

ss

wo

rd



De

vic

e ID

mu

st =

AC

S U

se

r ID


Checking Status


IPT & 802.1X: The Link-State Problem

127

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3A

B Security Violation

S:0011.2233.4455

S:6677.8899.AABB

1) Legitimate users cause security violation

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

A Security Hole

S:0011.2233.4455

S:0011.2233.4455

2) Hackers can spoof MAC to gain access without authenticating

A

S:0011.2233.4455

F0/2 authorized for 0011.2233.4455 only

0011.2233.4455 already authorized on F0/2


EAPol-Logoff

Partial Solution: Proxy EAPoL-Logoff

128

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3SSC

Domain = DATA

Supplicant = 0011.2233.4455



MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Domain = DATA

Port Status = UNAUTHORIZED

A

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

SSC

Domain = DATA

Supplicant = 6677.8899.AABB



B

Caveats: • Only for 802.1X

devices behind phone

Requires:

Logoff-capable Phones

Session cleared

immediately by

proxy EAPoL-Logoff

PC-A Unplugs

PC-B Plugs In


Partial Solution: Inactivity Timeout Options

129

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Domain = DATA

Supplicant = 0011.2233.4455



MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Domain = DATA


MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Domain = DATA

Supplicant = 0011.2233.4455



Vulnerable to security

violation and/or hole

Device

Unplugs

Inactivity Timer

Expires

Session cleared.

Vulnerability closed.

interface GigE 1/0/5 switchport mode access switchport access vlan 2 switchport voice vlan 12 authentication host-mode multi-domain authentication port-control auto authentication timer inactivity [300 | server] mab

Caveats:

Quiet devices may have to re-

auth; network access denied

until re-auth completes.

Still a window of vulnerability.

3K: 12.2(50)SE*

4K: 12.2(50)SG

6K: 12.2(33)SXI


Wiring Closet

MAC Addr Switchport

CAM TABLE Office

Conference Room

ACS - AAA RADIUS

1 PC Connects and Authenticates

2 CAM Table updated (MAC/Port)

PC MAC: 00-1C-25-BA-6D-3B

Gigabit Ethernet 1/0/1 00-1C-25-BA-6D-3B 3 PC Moved to new location

Gigabit Ethernet 1/0/14 4 PC Authenticates

5 Previous Session deleted and CAM

Table updated with new entry

Intermediary Deice

00-1C-25-BA-6D-3B

Partial Solution: MAC Move

Best Practice: Combine MAC Move with Inactivity Timer


Full Solution: CDP 2nd Port Notification

131

CDP Link Down

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Domain = DATA

Supplicant = 0011.2233.4455



MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Domain = DATA


MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

SSC

Domain = DATA

Supplicant = 6677.8899.AABB



Phone sends link

down TLV to switch.

Device A Unplugs

Device B Plugs In

Link status msg addresses

root cause

Session cleared immediately.

Works for MAB, 802.1X, and

Web-Auth.

Nothing to configure

IP Phone: 8.4(1)

3K: 12.2(50)SE

4K: 12.2(50)SG

6K: 12.2(33)SXI

id-4503#sho cdp neigh g2/1 detail

-------------------------

Device ID: SEP0015C696E22C

Entry address(es):

IP address: 10.1.200.10

Platform: Cisco IP Phone 7971, Capabilities: Host

Phone Two-port Mac Relay

Interface: GigabitEthernet2/1,

Port ID (outgoing port): Port 1 Holdtime : 168 sec

Second Port Status: Down


DEMO Time

CDP 2nd Port Notifications


Phase 3: High Security Access Control


Phase 3: ACME Gets Acquired by Widget, Inc.

New Security Policy & Network Requirements:

VLAN Segmentation

• Engineers on the ENG VLAN

• Machines on MACHINE VLAN

• Employees/managed assets on DATA VLAN.

• Unauthenticated devices on RESTRICTED VLAN only.

Widget‘s Goals Can Be Met With High Security Mode

Branch Survivability • ―fail open‖ when AAA server is unreachable.


How this will happen

Policy Change Solution Change

VLAN Segmentation

Dynamic Identity-based VLAN

assignment

No unauthenticated traffic on DATA

VLAN

Open mode -> Closed Mode

Unauthenticated devices on

RESTRICTED VLAN only

Local authorization (AuthFail

VLAN, Guest VLAN)

Branch Survivability Critical Auth VLAN


High Security: Network Access Table






Engineers 802.1X Success

Unknown /

Unauthorized


MAB Fail

All



None

Enterprise Access

Enterprise Access

Voice Access

Engineer Access

Limited Access

Enterprise Access


Dynamic Authorization: VLAN Assignment

• Assigned VLAN is based on identity at time of authentication

• Identity can be individual or group

Identity-Based

• VLANs assigned by name (not number); allows for more flexible VLAN management

• Assigned VLAN must match switch configuration; mismatch results in authentication failure.

VLAN Name

• Usage for VLANs is specified in the IEEE 802.1X standard

• RFC 2868 defines tunnel attributes that AAA server uses to send to VLAN name to switch

Standards- Based

• [64] Tunnel-type—―VLAN‖ (13)

• [65] Tunnel-medium-type—―802‖ (6)

• [81] Tunnel-private-group-ID—<VLAN name>

Tunnel Attributes


Segmenting Users, Devices and Networks How to Extend IBNS Policy into the Network…

GRE tunnels and policy routing

VRF-Lite end-to-end—(virtual route forwarding)

VRF-Lite at the distribution with MPLS L3 VPNs at the core

MPLS L3 VPNs end-to-end

Use the Network to Provide Isolation and

Simplified Policy Enforcement

SiSi

SiSi

Dept: HR

Encrypted Voice

SiSi

Guest

Internet

Dept 1 Dept: ENGR

“Guest” VLAN Tunneled to Internet DMZ

VoIP on an Ultra-Secure

Segment

Overlapping Address Space in Dept-HR and Dept-ENGR Can Co-Exist


802.1X User Distribution Enhances Dynamic VLAN Assignment

Addresses Two Use Cases:

Allow mapping the Radius provided VLAN name to different VLANs on different switches (no

need to re-configure Radius provided VLAN name).

Allow distribution of Radius provided VLAN to multiple different VLANs locally available on the same logical switch (load balancing) (reduces broadcast

domain)

SW1

SW2

VLAN 40 ENG-GROUP-1 VLAN 41 ENG-GROUP-2 VLAN 42 ENG-GROUP-3

VLAN 30 ENG-DATA-SW2

VLAN 20 ENG-DATA-SW1

Large Number of Ports

Different VLANs on Different Switches

ENG-DATA

ENG-DATA


User Distribution “Mapping” Can Simplify Migration to Dynamic VLANs

Allows flexible adoption in existing environments No need to reconfigure existing VLANs Simplifies Policy in AAA Server

AAA Server

SW1 SW2

VLAN Name Number

corporate 30

…. ….

802.1X

30

VLAN Name Number

corporate-2 40

…. ….

VLAN Group Number

corporate 40

…. ….

802.1X

40

User VLAN

Alice corporate Traditional VLAN assignment

is by VLAN name User distribution assigns by VLAN group (or name)

AAA Server


User Distribution: “Distribution”

Allows highly scalable 802.1X-based VLAN assignment in a large scale campus LAN deployment

VLAN 22 corp-3

Attribute: corporate

AAA Server AAA Server

high port density

VLAN 21 corp-2

VLAN 20 corp-1 VLAN 20

VLAN 21

VLAN 22 Evenly Distributed

Algorithm

Dist

User

RADIUS corporate

Radius Attribute: corporate maps to VLAN 20, 21 & 22


Configuring VLAN groups

Switch(config)# vlan group <groupname> vlan-list <list of vlans>

<groupname>: Name for the VLAN group starting with an alphabet <list of VLANs>: Comma separated VLANs or a range of VLANs or a

single VLAN

Switch(config)#vlan group corporate vlan-list 4 Switch(config)#vlan group corporate vlan-list 40-50 Switch(config)#vlan group corporate vlan-list 12,52,75









Machines 802.1X Success

Unknown /

Unauthorized


MAB Fail

All



None Closed Mode

Enterprise Access Default DATA VLAN


Voice Access Voice VLAN

Engineer Access ENG VLAN

Machine Access

Limited Access

Enterprise Access


User and Machine/Device Authorization


802.1X & Dynamic VLANs Deployment Considerations

*VSS removes this requirement

• Every access switch must support every assignable VLAN

• In multi-layer deployments, all these VLANs must be trunked to distribution layer.

• Every new VLAN will require a new subnet on every access switch (routed access & multi-layer*)

VLAN Proliferation

• Devices that change VLANs as a result of authentication MUST be capable of getting a new address on the new VLAN.

• Most supplicants CAN get a new address

• Most clientless devices CANNOT

• Even successful address changes can cause problems with end host functionality.

Address Changes

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 146 At This Point, DHCP Proceeds Normally

Forward Credentials to ACS Server

Accept

USER Login Req.

Send Credentials

ICMP Echo (x3) for Default GW from ―Old IP‖ as Soon as

EAP-Success Frame Is Rcvd

DHCP-Request (D=255.255.255.255) (After Pings Have Gone Unanswered)

DHCP-Discover (D=255.255.255.255)

Auth Successful (EAP—Success)

User VLAN Assignment

DHCP-NAK (Wrong Subnet)

ACS Device Identity Store

Active Directory

User

Device Authentication

User Authentication

Coping with VLAN Change DHCP Renewal - Microsoft Windows Example

Actual technique is supplicant dependent


VLAN Changes Can Disrupt Desktop Operation

In Legacy (pre-Vista) Microsoft environments, changing the VLAN can break user and/or machine GPOs.

Windows XP cannot re-negotiate secure connection with AD if IP address changes during GPO download.

What‘s a GPO? And why should I care about breaking it?

A Group Policy Object (GPO) is used to deliver and apply

configurations or policy settings to a set of targeted users and

computer within an Active Directory environment. Windows Admins

use GPOs for system compliancy and security enforcement , e.g.:

Network Device mapping

Applying Logon / Logoff scripts to workstations

Batch mechanism to trigger applications

Security compliance enforcement such as password rule, etc.

Breaking GPOs is a RPE (Resume Producing Event)


“Ideal” Microsoft Boot Process If Only It Were This Easy

Power On





(LDAP, SMB)





GINA

Components that depend on network connectivity




Machine Authentication

“Pre-Logon” User Authentication


Machine VLAN

Real Boot Process With Fast Logon Machine GPOs will Break with XP

Power On





(LDAP, SMB)







802.1X Machine Auth

GINA

802.1X User Auth

Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth


GINA

User VLAN

X X X

Fast Logon Optimization


Machine VLAN

Real Boot Process With Race Conditions User GPOs can Break with XP

Power On





(LDAP, SMB)







802.1X Machine Auth

GINA

802.1X User Auth

Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth


User VLAN

X X X


Dynamic VLAN Assignment Best Practices

Vista SP2 or Windows 7:

• No Restrictions on VLAN assignment

• Vista and Win7 Can Renegotiate Secure Connection with AD when IP Address Changes

XP and earlier:

• Use Only Machine Authentication OR…

• Use the Same VLAN for User and Machine Authentication

Reconsider ACLs if you don‘t need segmentation.










Unknown /

Unauthorized


MAB Fail

All



None Closed Mode





Machine Access MACHINE VLAN

Limited Access

Enterprise Access


DEMO Time Machine VLAN

ACS: using AD groups for Authorization Rules


High Security: Unknown Devices


Flex-Auth for Unknown Devices Agentless Devices in High Security Mode






1) Next-Method

2) Guest VLAN


Non-802.1X Client Guest VLAN

Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not)

A device is only deployed into the guest VLAN based on the lack of response to the switch‘s EAP-Request-Identity frames (which can be thought of as 802.1X hellos)

No further security or authentication to be applied. It‘s as if the administrator de-configured 802.1X, and hard-set the port into the specified VLAN

Client 802.1X Process

EAP-Identity-Request D = 01.80.c2.00.00.03 2 30-seconds X

EAP-Identity-Request D = 01.80.c2.00.00.03

Upon link up X 1

EAP-Success D = 01.80.c2.00.00.03 30-seconds 4 √

Port Deployed into VLAN 51

3 EAP-Identity-Request D = 01.80.c2.00.00.03

30-seconds X

interface GigabitE 3/13 authentication port-control auto authentication event no-response action authorize vlan 51


802.1X with Guest VLAN Deployment Considerations

When a port moves to Guest VLAN, any number of additional MACs are allowed on the port without authenticating

Guest VLAN is a switch-local authorization -> centralized policy on AAA server is not enforced

Guest VLAN does not differentiate, e.g. guest users get the same access as a corporate printer

Guest VLAN can be fallback after 802.1X timeout and MAB fail

• Default timeout is 30 seconds with three retries (90 seconds total)

• 90 seconds > DHCP timeout.

802.1X timeout dependency -> delayed network access.

Guest VLAN


Guest VLAN and Web Auth Are Mutually Exclusive

802.1X

802.1X Timeout

MAB

MAB fails

Guest VLAN

802.1X

802.1X timeout

MAB

MAB fails

Web Auth

interface GigabitE 3/13 authentication port-control auto dot1x pae authenticator mab authentication event no-response action authorize vlan 40

interface GigabitE 3/13 authentication port-control auto dot1x pae authenticator mab authentication fallback WEB-AUTH


Flex-Auth for Unknown Devices Devices that Fail 802.1X in High Security Mode






1) Next-Method

2) Guest VLAN 1) Next-Method

2) AuthFail VLAN


?


6506-2(config-if)#authentication event fail action authorize vlan 10

VLAN 10 User Unknown

Access Restricted to Auth-Fail VLAN

Supplicant expected to ―fail open‖

Now with RADIUS Accounting!

Failed 802.1X Auth-Fail VLAN Is An Alternative to Next-Method


802.1X with Auth-Fail VLAN Deployment Considerations

• Only alternatives: switch-initiated re-authentication or port bounce

Supplicant cannot exit the Auth-Fail VLAN

No Secondary Authentication Mechanism.

Auth-Fail VLAN, like Guest VLAN, is a switch-local authorization -> centralized policy on AAA server is not enforced

Switch and AAA server have conflicting views of network (mitigated by new RADIUS accounting)

Auth-fail VLAN

Access Granted Access Denied










Unknown /

Unauthorized


MAB Fail

All



None Closed Mode






Limited Access

Auth-Fail VLAN = Guest

VLAN = UNAUTH VLAN

Enterprise Access


Flex-Auth for Unknown Devices Devices are Unknown because AAA is Down




Configurable behavior before & after AAA server dies:


1) Next-Method

2) Guest VLAN 1) Next-Method

2) AuthFail VLAN

Critical VLAN


Inaccessible Authentication Bypass

EAPOL-Start

EAP-Success

• Switch detects AAA unavailable by one of two methods

1. Periodic probe

2. Failure to respond to AAA request

• Enables port in critical VLAN if defined, otherwise to switchport VLAN

• Existing sessions retain authorization status

• Applies to data devices only

• Recovery action can re-initialize port when AAA returns

WAN Internet

VPN Tunnel


RADIUS Server(s) Inaccessible

radius-server 10.1.10.50 test username KeepAliveUser key cisco

radius-server dead-criteria time 15 tries 3

radius-server deadtime 1

interface GigabitEthernet1/13

description Dot1x Demo with Auth-Fail VLAN

switchport access vlan 2

switchport mode access

switchport voice vlan 200

authentication event fail action next-method

authentication event server dead action authorize vlan 100

authentication event server alive action reinitialize

authentication order dot1x mab



dot1x timeout tx-period 10

dot1x max-req 2

mab

spanning-tree portfast

Critical VLAN can be anything: • Static VLAN

• Same as guest/auth-fail VLAN

• New VLAN










Unknown /

Unauthorized


MAB Fail

All



None Closed Mode






Limited Access

Auth-Fail VLAN = Guest

VLAN = UNAUTH VLAN

Enterprise Access

Critical VLAN

Mobility, Agility and Security

Université de Montréal

Wired 802.1X Network Access control

Speaker: Michel L‘Heureux, ing. PMP

Networking department manager at

Université de Montréal - DGTIC

June 2010

Université de Montréal

• A Major University

– Founded in 1878, Université de Montréal, with its two affiliated

schools: École Polytechnique and HEC Montréal, is now the

largest university in Quebec and the second largest in Canada.

– Deeply rooted in Montreal and dedicated to its international

mission, the Université de Montréal is one of the top universities

in the French-speaking world.

– With its 13 programs, 80 departments and schools, the Université

de Montréal offers programs in almost all academic fields

– The University earmarks close to $460 million for basic and

applied research each year, making it Canada's second most

active university in the field.

A Network for the Future

• Network architecture project started in 2007

– Objective: Become one of the best University Campus network

• Switching

– Backbone upgrade to 10 Gb/s, MPLS in the Core

– VSS for core redundancy and replace spanning-tree

– Catalyst 6500E for Core and Distribution

– Catalyst 4500E for 1 Gb/s network Access

• IP Telephony

– 9000 IP Phones

– Call manager v7, 2 Unity, 3 IPCC, 5 SRST

• Wifi

– 2500 Access Points 802.11n

• Security

– 802.1X authentication for all wired ports and wifi access

Switching – routing infrastructure

– 80% completed

IP Telephony

– 80% completed

Wifi

– 60% completed

Security

– More than a thousand 802.1X-enabled wired ports

– 25000 ports planned

As we speak

An internal audit performed in 2005 demonstrated

the University network access did not comply with

security best practices.

Private and distinct network from the Internet 132.204.x.x -> 10.x.x.x

Access control and secured (authentication) 802.1X for each wired network port

Network segmentation based on user role

(Community). Employee, Student and guest

Infrastructure community

Network security

User community: • Based on user role

• Assign from top security level.

Community segmentation

Workstations Security needs Risk

Employees Consult and manage

confidential

information

Lower risk for

managed workstations

(SCCM, Anti-virus,

GPO)

Students Basic + school work High due to

unmanaged

workstation

Guest Basic Very High -- unknown

workstation

Isolating the communities

Needs to reinforce new services for collaboration between different user communities

File sharing

Printing

Better use of central ressources

Community segmentation

Univ de Montréal 802.1X deployment

• Use of centralized and unique AD accounts

through Cisco ACS Radius servers

• Used of OS native « Supplicant » whenever

possible. XP, Win7 and MAC

– Credentials: AD Password

– EAP Method: PEAP-MSCHAPv2

• A university managed workstation (registered on

the AD domain) must do both Machine & User

authentication. All others do only User auth.

Univ de Montréal 802.1X deployment (cont)

• Faculty Staff, students and guests are invited

(and encouraged) to use 802.1X configuration

with a supplicant

• Exceptions

– IP Phones are not 802.1X aware (except G series) so

CDP is used to bypass 802.1X

– Web Auth is used for the first time user and for

workstations not supporting supplicant

– MAB (Mac Authentication Bypass) For device not

supporting supplicant with no possibility to do Webauth

(Printer, surveillance cameras, etc.)

– Critical Auth VLAN

Dynamic VLAN assignment

• How many VLANs are used?

– One VRF for each ―community‖

• How do you managed VLAN assignment for

users vs. machines ?

– 1 VLAN per community per switch

– Machines do not get a ―community‖ Vlan. They land in

a pre-auth VLAN

Dynamic VLAN assignment

Environment Diversity snapshot

1. Remote access

Remote access (RDP)

Remote access Mac/Apple

Net Support School

2. Licenses servers

Windows 7

Adobe, Sequencher, FileMaker, MatLab and others

3. Startup services

NetBoot (Mac/Apple)

4. Linux SSH, LDAP, Kerberos, NIS, NFS / Samba, Rdist, rsync, scp, puppet

5. Other cold imaging, backup and recovery software GHOST RedHat Network / YUM, Yellowdog Updater Modifier SCCM2007 (System Center Configuration Manager)

• « GHOSTing machines »

• Use of MAB to configure GHOST environment

• Remote Desktop Windows

• Must leave the desktop ‗‘logged in‘‘ and locked

Challenge and solutions

• WebAuth on Catalyst 4500

• « Authentication timeout », this issue produced a forced re-

auth after 30 min. Users would loose their session everytime.

Could not configure this through normal timeout control. This

was escalated to Cisco.

• Early Fix was supplied to correct this. Waiting for the next IOS

release 12.2.53 SG3 for full permanent integration.

• Webauth portal login page unable to display any custom

images or logo.

• Webauth portal login page cannot redirect the user to any

other pages or Web site

Challenge and solutions (cont)

• « Apple Net Boot »

• Very limited fonctionnality in a routed environment

• Challenge implementing 802.1X config

• Support for scripting is only available from 10.6.2 OS

Challenge and solutions (cont)

• A few advises for proper deployment:

• Problems are not so much in the 802.1X protocol but more in

the operational aspect of the deployment.

• Careful definition and identification of the users needs is

mandatory.

• Cisco doesn‘t supply tools to integrate 802.1X in an

heterogeneous environment like a university campus.

• Monitoring and troubleshooting

• At deployment time, prepare to cope with a flow of help-

desk calls

• Plan in building your own processes and tools.

Lessons Learned

Questions


Advanced Features

NEAT


Enterprise

Network

NEAT Problem Statement & Drivers

Result

Customers want network device authentication to mitigate these types of security threats

Network Device Identity

Compact switches like Cisco Catalyst 8-port 3560 or 2960 will be deployed in an unsecured area such as cubicles, conference rooms, etc.

outside the secured wiring closet

Customers requirement is to have (network) device based access control for tighter security

These network devices can potentially be swapped with hacker devices to gain network access, compromising the network security

Access

Blocked Access

gained


Authorized

Remove MAC per

notifications

Port Status

Authorized

Only Allow MAC of

Auth’d Host

Port Status

Authorized

Allow MACs Advertised

By Auth’d Switch

Port Status

Network Edge Authentication Topology Network Edge Trust Extension

Authorized

Only Allow MAC of

Auth’d Switch

Port Status

Wall Jack in

Conf Room

Wiring Closet

Switch

Campus

LAN

Switch

Authentication

Port Status

Un-

Authorized

Machine Auth

Port Status

Un-

Authorized

Advertise MAC of

Authenticated Host

Advertise MAC removal

based on aging or linkdown

•Disconnect

•Power down

•Or Logoff

Conf Room

Compact Switch

AAA

Extend Trust to into physically unsecured locations (e.g., conference room, cubical, etc.)

Secure access control for shared media access


Advanced Features CoA


RADIUS Change of Authorization (CoA)

• Terminates session

RFC 3576: Defines ―Packet of Disconnect‖

• Terminate session

• Re-authenticate

• Port bounce

• Port down

Cisco has extended support for CoA

Each type of Action has specific use case support


CoA – Use Cases

• CoA can reauth or terminate a session can retrigger authentication to try authentication after remediation

Failed Authentication with Failed Auth VLAN

• After Profiling or other change order an agentless devices may need it‘s IP changed

• CoA with Port Bounce can be used to reset the IP stack on an agentless device

Adding new mac addresses to the network

• CoA with Port Down is a emergency shut off of a port. It can only be re-enabled by CLI

Abnormal/Destructive behavior is observed on the network


RADIUS Change of Authorization (CoA)

Auth Fail

VLAN Corp

VLAN

1 End point fails authentication,

gets assigned to Auth-FailVLAN

2 End point remediates itself

3 A RADIUS CoA is issued with Reauthenticate

4 Client is authenticated via dot1x and assigned

a Corp VLAN

Dynamic session control from a Policy server Re-authenticate session

Terminate session

Terminate session with port bounce

Disable host port

Session Query

For Active Services

For Complete Identity

Service Specific

Service Activate

Service De-activate

Service Query


Advanced Features 802.1X Rev


Identity 4.1 Feature: 802.1X-Rev MACSec and MKA

Wiring Closet

Switch

Campus

LAN AAA

1 User bob connects

2 Bob‘s policy indicates end point must encrypt

3 Key exchange using MKA, 802.1AE encryption complete

User is placed in Corp VLAN

Session is secured

4 User steve connects

User: bob

Policy: encryption

User: steve

Policy: encryption

5 Steve‘s policy indicates end point must encrypt

6 End point is not MACSec enabled

Assigned to Guest VLAN

802.1X-Rev Components

- MACSec enabled switches (Incredibles)

- AAA server 802.1X-Rev aware

- Supplicant supporting MKA and 802.1AE encryption

Non-

MACSec

enabled


Advanced Features Monitoring & Troubleshooting


Monitoring and Troubleshooting

ACS 5.1 Monitoring & Troubleshooting

IOS Switches ACS Servers

Troubleshooting

Expert Troubleshooting Tool

Troubleshooting Workflow

–Authentication Failure

–Authorization Failure

Switch log failure analysis

SNMP, Syslog, CLI, Netflow

Monitoring User Reporting

Where, when, how connected

How long, how often

Last passed, last failed

Switch Log Reporting

System Reporting

Pass/Fail ratio

Device Reporting

Profile History

Status of profiled device

Alerts

Unknown NAS

New ACS, new NAD

External DB unavailable

Failed Auths thresholds

Passed auths thresholds

AAA down

Syslog


ACS 5.1 Uses Multiple Sources of Information For Monitoring/Troubleshooting

Sources

• RADIUS logs

• Syslog from ACS(s)

• Syslog from Switches

• CLI

• SNMP

ACS 5.1 Tools

• Authentication Reports

• Session Directory

• Configuration Validator

• Network Device & Session Details

• Expert Troubleshooter


Configuration Validator


On Demand SNMP Polling

MIB-II (RFC-1213-MIB)

INTERFACE-MIB

IEEEE8021-PAE-MIB

CISCO-PAE-MIB

CISCO-AUTH-FRAMEWORK-MIB

CISCO-MAB-MIB


Centralized View of Switch Syslogs

Authentication passed (credentials were good) but switch was unable to apply

authorization instructions (e.g. bad VLAN assignment).


Expert Troubleshooter

Research failures by troubleshooting workflows


Session Summary


Authorization

Authentication Phones

Desktops Wireless

Policy & Organization

EAP, PKI, DBs

Supplicants,

Re-Auth,

Agentless

Pre-Auth, VLAN,

ACL, Failed

Auth, AAA down

MDA, voice

VSA, MAB

behind phone

PXE, WoL, VM,

Windows GPO,

login scripts,

machine auth,

remote desktop

Guest solution?

Implicit reliance

on wired?

Teamwork:

Network, IT, Desktop

Policy:

definition & enforcement

Deployment Considerations In a Nutshell


Summary

802.1X improves enterprise security

802.1X improves enterprise visibility

802.1X deployable now

New features have significantly simplified deployment

Deployment scenarios can be used as a starting point

802.1X is not only a network project, it affects the whole IT organization

migrating your lan to ieee 802 - core it...

Documents